CN106330949A - Intrusion detection method based on Markov chains - Google Patents

Abstract

The invention provides an intrusion detection method based on Markov chains. Network data package characteristics are extracted, and data models based on the Markov chains are constructed. Markov chain models are respectively constructed in a training phase and a detection phase. An intrusion detection algorithm is improved according to event importance. By adopting the improved intrusion detection algorithm, the abnormity detection of the Markov chains in the training phase and the detection phase is carried out to acquire abnormity results. The intrusion detection method mainly focuses on special attack types of an industrial control field ICS system, and under a condition of completely normal network communication data package formats, sequence attacks based on a sequence and time can still happen. According to experimental verification, the intrusion detection method is advantageous in that a false alarm rate is effectively reduced, higher detection efficiency and higher accuracy are provided.

Description

A kind of based on markovian intrusion detection method

Technical field

The present invention relates to a kind of ICS system intrusion detection method, specifically in ICS system, set up Ma Erke The intrusion detection method of husband's chain model.

Background technology

The world today, information security field has welcome extremely newly choosing of paying close attention to of every country, company and tissue Senior persistence of fighting threatens (being called for short APT).APT attacks especially with its clear and definite target of attack, the good sense of organization, very The features such as advanced hacking technique, the attack method of various complexity, the persistency of attack and disguise are constantly by each safety Company, the concern of tissue.APT attack there is more than, in traditional information technology (being called for short IT) system, also occurring in industry In control field.Industrial control system (being called for short ICS) is widely used in automatic industrial process, and the key foundation covering country sets Execute, such as electric power, water and wastewater treatment, oil and natural gas, transport, chemical industry, pharmacy, paper pulp and papermaking, food and drink and pass Key manufacturing industry (such as automobile, Aero-Space and durable goods) etc..Vulnerability and the security incident of ICS system are continuously increased.

Intrusion detection is by judging that the label of data instance determines if it is abnormal.Available journey according to data label Degree, abnormality detection can be divided into three kinds of models.1, full enforcement mechanisms training technique assumes that the data set of training is just not only comprising The often label example also comprising exception class of class, but the shortcoming of this technology is: the quantity of abnormal data example in training data The quantity of normal data example to be much smaller than, and by exception class analysis being obtained accurate and representative label the most very Difficulty；2, need not training data without enforcement mechanisms training technique, but the quantity of normal data example to be ensured is far longer than different The quantity of regular data example；3, semi-supervised pattern drill technology only belongs to the data of normal class in assuming the data set trained Example has label.

Summary of the invention

It is an object of the invention to provide one and can effectively reduce rate of false alarm, and have higher detection efficiency and degree of accuracy Based on markovian intrusion detection method.

The object of the present invention is achieved like this:

Step one: extracting network packet feature, structure is based on markovian data model；

Step 2: construct Markov chain model respectively in training stage and detection-phase；

Step 3: intrusion detection algorithm is improved according to event importance；

Step 4: utilize the intrusion detection algorithm after improving, the Markov Chain of training stage and detection-phase is carried out Abnormality detection, and obtain abnormal results.

The present invention can also include:

1, described extraction network packet feature is that network data is defined as time-based sequence of events；For Modbus agreement, the concrete form of described time-based sequence of events is described as: { EventTime}；

EventTime represents a four-tuple<ID, UID, Func, Time>:

ID uniquely identifies a request/response message pair；

UID represents the unit ID in Modbus Transmission Control Protocol, uniquely identifies slave address；

Func represents the function code of this Modbus event；

Time represents the time.

2, described structure is directed to state based on markovian data model and the relation that redirects is modeled,

Each state State is a five-tuple data cell, and formalization representation is < Data, Type, Count, FT, LT >；

Each by source state State_SourceTo purpose state State_DestinationState transition relation Transition be One hexa-atomic group of data cell, formalized description is:<Pr, Count, FJ, LJ, ATI, SDTI>.

3, described according to event importance, intrusion detection algorithm is improved, important state corresponding in DTMC model is arranged Weight w eight identifies the degree of different significance state；And the event adjacent with identified important event be also have important The event of property.

4, described abnormality detection, is calculated difference value, for the inspection of DTMC state difference value by following two formula Survey process is provided with threshold θ, is contrasted with threshold θ value by difference value afterwards, detects whether exception,

diff_Transition=weight_SourceState·|depr_Transition-trpr_Transition|

${\mathrm{diff}}_{State}=\frac{1}{2}\underset{Transition\&Element;T}{\&Sigma;}{\mathrm{weight}}_{DestinationState}\&CenterDot;{\mathrm{diff}}_{Transition}.$

The present invention combines the abnormality detection technology the most flexibly that detects in current Intrusion Detection Technique, enters for sequence variation Row is analyzed, present invention training technique based on semi-supervised pattern, proposes based on markovian intrusion detection algorithm, and combines Algorithm improvement, the algorithm after improvement can effectively be reduced rate of false alarm compared to the algorithm before improving, and have more by event importance High detection efficiency and degree of accuracy.The main efficacy results of the present invention is summarized as:

The present invention combines discrete type Markov Chain and is modeled data.Need attribute during building sequence Complicated event is abstracted into a more unified concept, such as the state in DTMC.The present invention can identical to the two event Attribute extracts, and two events is all belonged in the state identified by same alike result.State in DTMC can be used to Represent the sequence sets with identical semantic attribute.Determine that the time-based sequence of event is the most critically important, such as redirecting of DTMC equally Relation.The relation that redirects of DTMC has multiple effect: identify the relationship strength between current event and succeeding events, as certain event goes out Another event number of times below now；Understand this relation situation over time, as the time interval between two states can Can keep constant.Belong to the event of state State1 from the relational representation that redirects of state State1 to state State2 and belong to Common between the event of state State2 redirect situation.

For the abnormal conditions of unknown probability, the Intellisense intruding detection system based on sequence that the present invention proposes can not Can exist and report situation in a large number by mistake.Because the Pr parameter redirecting relation in DTMC model has stability.In a DTMC, typically Do not have the situation of the Pr parameter value variation big rise and fall of certain state.If this situation occurs, it is meant that have management personnel ICS system is done the biggest adjustment so that in system, the biggest change occurs in the incidence relation between each state.It is apparent that, This situation is the most common.Therefore, intrusion detection needs the unknown probability abnormal conditions that the moment notes detecting.Wrong report situation and There is close relationship training time.The intruding detection system training time is the longest, the correct event collected and foundation correct Pattern is the most, more can correctly detect abnormal conditions, effectively reduce rate of false alarm.

In terms of intrusion detection, the detection process that the present invention is directed to DTMC state difference value is provided with threshold θ.If formula 1 Having exceeded threshold θ with the result of formula 2, intruding detection system will send warning information to user.This information comprises current DTMC State and its semanteme in the environment.The size that threshold θ sets is the most critically important, because the table of intruding detection system Now threshold θ is had serious dependency.On the one hand, if threshold θ sets too high, the accuracy of detecting system can increase, wrong report Seldom, but comprehensive reducing of its detection, fail to report and increase.On the other hand, if threshold θ sets too low, detection process will Substantial amounts of wrong report situation occur, whole intruding detection system is in the state persistently reported by mistake, and intrusion detection will not work.Threshold The setting of value depends on the environmental characteristics of intruding detection system work too.If the communication pattern of control system has the biggest Variability, intruding detection system then needs higher threshold value.

In terms of event importance, not every event has same importance.Different message, instruction and parameters Value all produces impact in various degree to control system.By the improvement for detection algorithm, the present invention proposes to be adopted as DTMC Important state corresponding in model arranges compared with high weight and finds out those and have been identified as important event, and assumes other and quilt Identifying the adjacent event of important event is also that the event two ways made a difference improves intrusion detection algorithm.Can will more may be used The data that can be used are comformed and are extracted in many data, and intrusion detection work is more focused on analyzing these important relevant things Part.The performance of detection can promote, and the accuracy of result also can improve.Intruding detection system based on time series perception can root Abnormality alarm reaction in various degree is made according to the important and inessential degree of anomalous event.Such as, only in unessential exception When event makes state or redirects attribute of a relation value generation large change, intruding detection system just can trigger alarm.The number of wrong report Amount can be decreased obviously.

Experiments verify that, after adding the weights of identification-state importance, the algorithm after improvement can be different by read states Constant value is greatly reduced, and reading redirects relation exceptional value and is decreased to less than the scope of threshold value, thus reduce and even avoid harmless exception Wrong report situation.Adding up according to program runtime, when setting up DTMC model, average each event needs to spend 0.0003 second, meter The time calculating all state weights is 0.0001 second, calculate testing result time be 0.00007 second.It addition, plus data Time needed for capture, the intruding detection system of present invention design, process the average time of every Modbus data less than 0.01 Second.Meet the real-time demand of ICS system.

Accompanying drawing explanation

The system flow chart of accompanying drawing 1 present invention；

Accompanying drawing 2 DTMC modeling algorithm；

Accompanying drawing 3 Modbus data instance；

The accompanying drawing 4 simulation modelling stage 1；

The accompanying drawing 5 simulation modelling stage 2；

Weight computing in accompanying drawing 6 innovatory algorithm；

The realization of accompanying drawing 7 weight computing.

Detailed description of the invention

Illustrate below for a more detailed description to the present invention.

In conjunction with Fig. 1, the present invention specifically includes that based on markovian intrusion detection method, first, to network data Define time-based sequence of events；Then propose to combine Markov Chain by abstract for network data for state and redirect relation, Set up Markov model；Afterwards, study stage and detection-phase are set up Markov chain model respectively；Finally, to two Model Application intrusion detection algorithm, should anomaly sieving in two ways, be whether two model datas contrasts and difference value exist respectively In threshold range.Specifically include following technological means:

1, network data is defined time-based sequence of events.

The present invention is illustrated with Modbus agreement.Definition to time-based sequence of events relies primarily on two genus Property: function code and time.For Modbus agreement, the concrete form of time-based sequence of events is described as: {EventTime}.Wherein, EventTime represents a four-tuple<ID, UID, Func, Time>, a request/response disappear Cease and (ReqMessageTime, ResMessageT > Time) is derived from；ID uniquely identifies a request/response message pair, UID represents the unit ID in Modbus Transmission Control Protocol, uniquely identifies slave address；Func represents the merit of this Modbus event Can code；Time represents the time；ReqMessageTime represents the request message in Time moment, and ResMessageT > Time represents Ask the response message that message is corresponding with the Time moment after the Time moment.If request message is not mated into response message To (broadcast request in such as Modbus network), data will be using wall scroll Modbus data as event handling.

2, combine Markov Chain by abstract for network data for state with redirect relation, set up Markov model.DTMC Modeling is directed to two parts, and one is state, and two is to redirect relation.

Each state State is a five-tuple data cell, formalization representation be < Data, Type, Count, FT, LT>.Wherein, Data refers to specify the information of identification-state State, and this information is that in this state, all events are total to With enjoying；Type refers to the type attribute of certain state State representative element, including request/response to, single request and single should Answer；Count refers to belong to the event number of state State in event-order serie row；FT, i.e. First Time, refers to The timestamp of one event belonging to state State occurred；LT, i.e. Last Time, refers to that what last occurred belongs to state The timestamp of the event of State.

Each by source state State_SourceTo purpose state State_DestinationState transition relation Transition be One hexa-atomic group of data cell, formalized description is:<Pr, Count, FJ, LJ, ATI, SDTI>.Wherein, Pr refers to from state State_SourceTo state State_DestinationNumber of hops and DTMC in ratio between number of hops between all states, I.e. by state State_SourceTo state State_DestinationProbit；Count refers in event-order serie row from shape State State_SourceTo state State_DestinationNumber of hops；FT, i.e. First Time, should in event-order serie row Redirect and occur for the first time；LT, i.e. Last Time, in event-order serie row, this redirects last appearance.ATI, i.e. Average Time Interval, by state State_SourceTo state State_DestinationAverage time interval；SDTI, i.e. Standard Deviation on Time Interval, state interval samples transfer time standard deviation.

3, study stage and detection-phase are set up Markov chain model respectively.

The present invention selects discrete type Markov Chain (DTMC) to be modeled data.Intrusion detection based on DTMC is divided into Two stages: training study stage and intrusion detection stage.In the training stage, set up according to substantial amounts of ICS system normal data The training pattern of ICS system normal operation behavior can be described.Period, it is necessary to assure do not have abnormal data to occur.On training rank After section terminates, intruding detection system can perform detection-phase.The data needing detection are read in system and set up model.

4, to training stage and detection-phase Application intrusion detection algorithm, should anomaly sieving in two ways, be two respectively Whether model data contrast and calculating difference value be in threshold range.

At detection-phase, DTMC model that the training stage is built by the present invention and the DTMC model phase that detection-phase is set up Relatively it is estimated.Assessment can be divided into two parts: for the assessment of DTMC state with redirect the assessment of relation for DTMC. The DTMC state that each DTMC state created by detection-phase and training stage build is mated, if detection-phase wound Any state that certain state founded a capital and training stage build does not matches that, testing mechanism will be considered to the DTMC of this detection-phase State is abnormal, and puts on abnormal label for it.Equally, this detection method is also used in for the detection redirecting relation.Root According to DTMC state known to certain training stage (unknown is labeled as exception the most), detection algorithm is checked relevant to this state Redirect set of relations, calculated relationship concentration training stage and detection-phase all occur each to redirect the Pr value difference of relation different.Equally, Redirect relation according to DTMC known to the training stage, detection algorithm will by compare the Pr value of the relation of redirecting the training stage with The difference of detection-phase judges whether exception.Two difference value must define as shown in formula 1 and formula 2:

diff_Transition=| depr_Transition-trpr_Transition| formula 1

Wherein, T refers to belong to the set of the relation that redirects of state State；depr_TransitionRefer to detection-phase (Detection) the Pr value of relation Transition is redirected；trpr_TransitionRefer to redirect in the training stage (Training) The Pr value of relation Transition, if Transition does not exists, value is 0；The result of two formula is the decimal between 0 to 1.

Detection process for DTMC state difference value is provided with threshold θ.If the result of formula 1 or formula 2 has exceeded threshold Value θ, intruding detection system will send warning information to user.This information comprise current DTMC state and it in the environment Semantic.

The present invention improves detection algorithm according to the importance of event.Different message, instruction and parameter value are all to control System produces impact in various degree.Intruding detection system based on time series perception can according to the important of anomalous event and Inessential degree makes abnormality alarm reaction in various degree.The present invention proposes two differences but interactional method is looked for Go out the significant data in model.First method, arranges higher priority to important event, is in DTMC model correspondence Important state relatively high weight is set.Second method is to find out those to have been identified as important event, and assume other with The event that identified important event is adjacent is also the event made a difference.Therefore combining the two method, the present invention is by DTMC In the control Data Identification " write " of representative be important, and be inessential by other Data Identifications, be similarly each shape in DTMC State arranges weights.If adding importance concept in detection method, i.e. adding weight w eight of inlet identity significance level, then going up The difference value formula stated will change into:

diff_Transition=weight_SourceState·|depr_Transition-trpr_Transition| formula 3

Wherein, depr_TransitionAnd trpr_TransitionIndicate respectively that relation Transition that redirects is in detection-phase and instruction Practice the Pr value in stage；weight_SourceStateThe state that refers to currently to analyze (or redirect belonging to relation Transition Source state) weights；weight_{DestinationState}Refer to state State by redirecting what relation Transition was connected The weights of purpose state (DestinationState).

Based on DTMC by state State1 to the state transfer timing of state State2, an at least state The event of the event of State2 and then state State1 occurs.The modeling process of DTMC shown by accompanying drawing 2.Modeling algorithm concrete It is described as follows: for each event in time series, if event and certain state feature existed match, modeling Algorithm can use updateState () function to be added to the matching status existed；If event is with any one The feature of the state through existing is not mated, and modeling algorithm can use addState () function creation one according to its eigenvalue New state.Meanwhile, in the processing procedure of each event, modeling algorithm can use addTransition () or UpdateTransition () function, adds or updates the state transition function that current event relates to, and will just access last time State belonging to event is connected to the state belonging to current event.

The modeling process of DTMC, with Controling network network layers Modbus agreement, is illustrated by the present invention.Modbus from simulation One group of Modbus protocol data sequence of extracting data, each represents an event, as shown in Figure 3.In figure, every a line is Modbus protocol data, is that the concrete formization of time-based sequence of events describes.Markov is combined for time series Chain models, and as shown in figures 4 and 5, according to first event of sequence, creates DTMC state State1.State1 Type be request/response pair；Data is the combination of UID and function code；Count is 1.According in sequence second element, Model creates another DTMC state State2.Type's with State1 of State2 is identical；Data is to be 1 set to UID Standby read register.Now, according to sequence, model establishes one and is redirected relation by state State1 to state State2 Transition1.Afterwards, the attribute of the 3rd event and first event identical in sequence.Therefore, first DTMC state The Count attribute of State1 needs to add 1.Now, sequence occurring in that, one new has state State2 to state State1 Redirect, model adds new being redirected relation Transition2 by state State2 to state State1.Finally, according to sequence 4th event in row, this event and second event have identical attribute, therefore belong to state State2.State State2 Count adds 1.Now, sequence occurs in that and is redirected relation by state State1 to state State2, due in model by connecting Relation Transition1 that redirects of state State1 and state State2 has existed, and the Count of Transition1 adds 1 to 2.

At detection-phase, DTMC model that the training stage is built by the present invention and the DTMC model phase that detection-phase is set up Relatively it is estimated.Assessment can be divided into two parts: for the assessment of DTMC state with redirect the assessment of relation for DTMC. The DTMC state that each DTMC state created by detection-phase and training stage build is mated, if detection-phase wound Any state that certain state founded a capital and training stage build does not matches that, testing mechanism will be considered to the DTMC of this detection-phase State is abnormal, and puts on abnormal label for it.Equally, this detection method is also used in for the detection redirecting relation.Root According to DTMC state known to certain training stage (unknown is labeled as exception the most), detection algorithm is checked relevant to this state Redirect set of relations, calculated relationship concentration training stage and detection-phase all occur each to redirect the Pr value difference of relation different.Equally, Redirect relation according to DTMC known to the training stage, detection algorithm will by compare the Pr value of the relation of redirecting the training stage with The difference of detection-phase judges whether exception.Two difference value obtain according to formula 1 and formula 2.

Detection process for DTMC state difference value is provided with threshold θ.If the result of formula 1 or formula 2 has exceeded threshold Value θ, intruding detection system will send warning information to user.This information comprise current DTMC state and it in the environment Semantic.The size that threshold θ sets is the most critically important, because the performance of intruding detection system has serious dependence to threshold θ Property.On the one hand, if threshold θ sets too high, the accuracy of detecting system can increase, and wrong report is little, but its detection is comprehensive Can reduce, fail to report and increase.On the other hand, if threshold θ sets too low, detection process is it would appear that substantial amounts of wrong report situation, whole Individual intruding detection system is in the state persistently reported by mistake, and intrusion detection will not work.The setting of threshold value depends on too The environmental characteristics of intruding detection system work.If the communication pattern of control system has the biggest variability, intrusion detection system System then needs higher threshold value.

Detection algorithm both may operate in offline environment, such as, process Off-line control network data；Can also work in Thread environment, in the system being i.e. currently running.Offline inspection only off-line data stream all analyze terminate after just start.Once invade inspection Examining system have collected all of control network data, has built up DTMC model and has calculated the most all of difference Value.On line, the situation of detection then needs to refine analysis further.It practice, DTMC model is to capture according to intruding detection system The growth of data packet number and change.In the DTMC model that the incipient stage of test digital independent sets up, redirect relation Quantity inevitable seldom.Therefore, the Pr value redirecting relation is easy to deviate the corresponding Pr value of training stage structure.Therefore, on line Detection job demand wait one rational period according to the concrete condition of ICS system so that the control that detection-phase obtains The network packet quantity that network packet quantity and training stage read has certain comparability.

The present invention, on the basis of event importance difference, improves for intrusion detection algorithm.The present invention devises One, according to the known important state subset being made up of control data in DTMC, arranges the calculation of weights for state each in DTMC Method, as shown in accompanying drawing 6 and accompanying drawing 7.In figure 6 state state value is stored in stack, and calls the algorithm meter in accompanying drawing 7 Calculate weights.In fig. 7, variable stateWeight represents from state State to all identified all jumpings for important state Sum after the Pr value weighting transferred the registration of Party membership, etc. from one unit to another.

If adding importance concept in detection method, i.e. add weight w eight of inlet identity significance level, formula 1 He Formula 2 will change formula 3 and the form of formula 4 into.

If the span of weight w eight of state is from 0 to 1, the span of the result of formula 3 be still from 0 to The decimal of 1.The weights of important state corresponding for critical event in data can be designated 1 by the present invention, other states important Degree value is designated 0, then runs two algorithms in accompanying drawing 6 and accompanying drawing 7.After end of run, the weights of all states are all From the decimal of 0 to 1.

Claims (9)

1., based on a markovian intrusion detection method, it is characterized in that:

Step one: extracting network packet feature, structure is based on markovian data model；

Step 2: construct Markov chain model respectively in training stage and detection-phase；

Step 3: intrusion detection algorithm is improved according to event importance；

Step 4: utilize the intrusion detection algorithm after improving, the Markov Chain of training stage and detection-phase is carried out exception Detection, and obtain abnormal results.

The most according to claim 1 based on markovian intrusion detection method, it is characterized in that: described extraction network number It is that network data is defined as time-based sequence of events according to bag feature；For Modbus agreement, described time-based thing The concrete form of part sequence is described as: { EventTime}；

EventTime represents a four-tuple<ID, UID, Func, Time>:

ID uniquely identifies a request/response message pair；

UID represents the unit ID in Modbus Transmission Control Protocol, uniquely identifies slave address；

Func represents the function code of this Modbus event；

Time represents the time.

The most according to claim 1 and 2 based on markovian intrusion detection method, it is characterized in that: described structure base It is directed to state in markovian data model and redirects relation and be modeled,

Each state State is a five-tuple data cell, and formalization representation is<Data, Type, Count, FT, LT>；

Each by source state State_SourceTo purpose state State_DestinationState transition relation Transition be one Hexa-atomic group of data cell, formalized description is:<Pr, Count, FJ, LJ, ATI, SDTI>.

The most according to claim 1 and 2 based on markovian intrusion detection method, it is characterized in that: described according to thing Intrusion detection algorithm is improved by part importance, and important state corresponding in DTMC model is arranged weight w eight to identify difference The degree of significance state；And the event adjacent with identified important event is also the event made a difference.

The most according to claim 3 based on markovian intrusion detection method, it is characterized in that: described according to event weight Intrusion detection algorithm is improved by the property wanted, and important state corresponding in DTMC model arranges weight w eight and identifies different important The degree of sexual state；And the event adjacent with identified important event is also the event made a difference.

The most according to claim 1 and 2 based on markovian intrusion detection method, it is characterized in that: described abnormal inspection Surveying, be calculated difference value by following two formula, the detection process for DTMC state difference value is provided with threshold θ, afterwards Contrasted with threshold θ value by difference value, detect whether exception,

diff_Transition=weight_SourceState·|depr_Transition-trpr_Transition|

${\mathrm{diff}}_{State}=\frac{1}{2}\underset{Transition\&Element;T}{\&Sigma;}{\mathrm{weight}}_{DestinationState}\&CenterDot;{\mathrm{diff}}_{Transition}.$

The most according to claim 3 based on markovian intrusion detection method, it is characterized in that: described abnormality detection, Being calculated difference value by following two formula, the detection process for DTMC state difference value is provided with threshold θ, passes through afterwards Difference value contrasts with threshold θ value, detects whether exception,

diff_Transition=weight_SourceState·|depr_Transition-trpr_Transition|

${\mathrm{diff}}_{State}=\frac{1}{2}\underset{Transition\&Element;T}{\&Sigma;}{\mathrm{weight}}_{DestinationState}\&CenterDot;{\mathrm{diff}}_{Transition}.$

The most according to claim 4 based on markovian intrusion detection method, it is characterized in that: described abnormality detection, Being calculated difference value by following two formula, the detection process for DTMC state difference value is provided with threshold θ, passes through afterwards Difference value contrasts with threshold θ value, detects whether exception,

diff_Transition=weight_SourceState·|depr_Transition-trpr_Transition|

${\mathrm{diff}}_{State}=\frac{1}{2}\underset{Transition\&Element;T}{\&Sigma;}{\mathrm{weight}}_{DestinationState}\&CenterDot;{\mathrm{diff}}_{Transition}.$

The most according to claim 5 based on markovian intrusion detection method, it is characterized in that: described abnormality detection, Being calculated difference value by following two formula, the detection process for DTMC state difference value is provided with threshold θ, passes through afterwards Difference value contrasts with threshold θ value, detects whether exception,

diff_Transition=weight_SourceState·|depr_Transition-trpr_Transition|

${\mathrm{diff}}_{State}=\frac{1}{2}\underset{Transition\&Element;T}{\&Sigma;}{\mathrm{weight}}_{DestinationState}\&CenterDot;{\mathrm{diff}}_{Transition}.$